OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. `rsync://example.org/repo/../../etc/cron.daily/evil.roa`), which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine OctoRPKI is running on.

## Patches

## For more information
If you have any questions or comments about this advisory email us at [email protected]

Affected Packages

Go github.com/cloudflare/cfrpki

Affected versions: 0 (fixed in 1.4.4)

Related CVEs

CVE-2021-3907

Key Information

GHSA ID

GHSA-cqh2-vc2f-q4fh

Published

November 10, 2021 8:08 PM

Last Modified

November 10, 2021 6:16 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/cloudflare/cfrpki

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.